The parameter enables pages to load data from the back-end e.g., ID, search query. They make websites more interactive to the back-end as well as make them easy to use for visitors. Multiple parameters can be added with the help of special chars like (&, +,;) to a single page, which makes the page dynamic and a single page can have multiple views. Pages accept only parameters defined by developers in code and they should be sanitized properly to avoid malicious activity.
e.g. https://websiteurl.com/dish?organization?uid=23
HTTP Parameter Pollution is simply adding one extra parameter with a similar one used by the server. We can bypass the Web application firewall (WAF) checks that used for input validation checkpoints and Ruleset for blacklisting through parameter pollution. Behind the scenes, the front-end checks for validation on only one parameter, and another parameter get passed to the back end without checks.
e.g. https://websiteurl.com/dish?organization?uid=23&uid25
Firstly, need to gather information about the backend and parsing method used by the application. Then need to find parameters that are taking input from the user and check how it behaves after parameter tempering. Parameter Pollution can be tested against GET request parameter, POST parameters, and in the Cookie header.
Different languages and frameworks handle these parameters differently, some consider the first parameter and some of them will go for the second parameter and some will combine the second parameter with the first parameter. For exploitation, an attacker needs to craft a payload according to the back end of the web application.
In this section, we will be discussing the exploitation of Parameter Pollution in Business Logic flow. Here is an application that provides services for online food ordering.
Fig. – Adding Item to Cart.
Fig. – Performing Parameter Pollution on qty parameter
Fig. – Parameter Pollution exploited Successfully
Parameter Pollution is a test case, it is not vulnerability by itself, but it can be chained with another vulnerability. It can be used for URL rewriting, chaining behavior of the application. Parameter Pollution impact depends on context or web application functionality. Parameter Pollution affects server-side as well client-side components.
Author,
Abhijit Karande
Attack & Pentest Team
Varutra Consulting Pvt. Ltd.
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…